Before SNI (introduced in TLS in 2003, widely deployed by 2010), each SSL-protected domain needed its own dedicated IPv4 address. The server had to pick a certificate to present based on which IP the client connected to.
SNI fixes this: the client tells the server which hostname it's trying to reach as part of the initial TLS handshake. The server picks the right certificate for that hostname. Multiple HTTPS sites can share an IP.
This is why a single Cloudflare or Hostinger IP address can serve millions of different HTTPS sites — each request includes SNI, and the edge server presents the matching cert.
Practical implications:
- Free or shared SSL is now possible. Lets Encrypt, Cloudflare, and CDNs rely on SNI to serve certificates for unlimited customer domains from shared infrastructure.
- Very old clients can't do SNI — specifically, Internet Explorer on Windows XP and Android 2.x. In 2026 these are practically extinct (<0.01% of traffic).
- Privacy concern: SNI is sent in plaintext during the handshake, so anyone monitoring the network can see which domain you're visiting (though not the content). Encrypted Client Hello (ECH), an emerging extension, fixes this by encrypting SNI itself.